From owner-freebsd-net  Thu May  3  0:30:36 2001
Delivered-To: freebsd-net@freebsd.org
Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197])
	by hub.freebsd.org (Postfix) with ESMTP id 0E1A637B422
	for <freebsd-net@freebsd.org>; Thu,  3 May 2001 00:30:33 -0700 (PDT)
	(envelope-from gunther@aurora.regenstrief.org)
Received: from aurora.regenstrief.org (aurora.rg.iupui.edu [134.68.31.122])
	by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f437YoX11233;
	Thu, 3 May 2001 02:34:50 -0500
Message-ID: <3AF108F2.BA4AF637@aurora.regenstrief.org>
Date: Thu, 03 May 2001 07:29:54 +0000
From: Gunther Schadow <gunther@aurora.regenstrief.org>
Organization: Regenstrief Institute for Health Care
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Darren Reed <darrenr@reed.wattle.id.au>
Cc: thorpej@zembu.com, snap-users@kame.net, julian@elischer.org,
	freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au,
	altq@csl.sony.co.jp
Subject: Re: (KAME-snap 4629) Re: The future of ALTQ, IPsec & IPFILTER playing    
 together ...
References: <200105030001.KAA24308@avalon.reed.wattle.id.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Darren Reed wrote:
> 
> In some email I received from Jason R Thorpe, sie wrote:
> > On Thu, May 03, 2001 at 08:30:55AM +1000, Darren Reed wrote:
> >
> >  > IPFilter 4.0 will, as part of its general increase in kernel bloat,
> >  > let you use BPF expressions for matching.  There are other things
> >
> > You mean "pcap/tcpdump expressions"?
> 
> They are included.
> 
> > BPF "expressions" are literally BPF bytecodes.
> 
> Well, one of the goals of IPFilter is it can parse (as rules) a textual
> representation of what's currently loaded into the kernel.  At the moment
> that means collecting hex output, as the bytecode instructions are less
> suited to being displayed all on the one line.

I don't think that that's critical. When I write C, C++ or Java
programs I don't expect them to be disassembled into the source 
language. What is more important is that any classifyer / filter
is fast, as fast as it gets. It is my understanding that BPF
is very fast, and that BPF scales very well for even complex
expressions. BPF may need some extension to be useful as a 
classifier, mainly, instead of a simple true/false output one 
would want a number representing the class. Also, it's been
noted before, the BPF machine needs some state awareness between
packets.

regards
-Gunther

-- 
Gunther Schadow, M.D., Ph.D.                    gschadow@regenstrief.org
Medical Information Scientist      Regenstrief Institute for Health Care
Adjunct Assistent Professor        Indiana University School of Medicine
tel:1(317)630-7960                         http://aurora.regenstrief.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message